Beruflich Dokumente
Kultur Dokumente
Support
Community
Sign in |
Page 1
SQL Server 2008 Books Online (November 2009) MSDN Library Servers and Enterprise Development SQL Server SQL Server 2008 Product Documentation SQL Server 2008 Books Online Database Engine Security and Protection Secure Operation Auditing (Database Engine) Understanding SQL Server Audit SQL Server Audit Action Groups SQL Server Audit Records
Community Content Add code samples and tips to enhance this topic. More...
Target
The results of an audit are sent to a target, which can be a file, the Windows Security event log, or the Windows Application event log. (Writing to the Security log is not available on Windows XP.) Logs must be reviewed and archived periodically to make sure that the target has sufficient space to write additional records.
Important:
Any authenticated user can read and write to the Windows Application event log. The Application event log requires lower permissions than the Windows Security event log and is less secure than the Windows Security event log. Writing to the Windows Security log requires the SQL Server service account to be added to the Generate security audits policy. By default, the Local System, Local Service, and Network Service are part of this policy. This setting can be configured by using the security policy snap-in (secpol.msc). Additionally, the Audit object http://msdn.microsoft.com/en-us/library/cc280386.aspx 12.5.2010 15:01:05 by using access security policy must be enabled for both Success and Failure. This setting can be configured
Page 2
http://msdn.microsoft.com/en-us/library/cc280386.aspx
12.5.2010 15:01:05
the security policy snap-in (secpol.msc). In Windows Vista or Windows Server 2008, you can set the more Page granular application generated policy from the command line by using the audit policy program (AuditPol.exe). For more information about the steps to enable writing to the Windows Security log, see How to: Write Server Audit Events to the Security Log. For more information about the Auditpol.exe program, see Knowledge Base article 921469, How to use Group Policy to configure detailed security auditing. The Windows event logs are global to the Windows operating system. For more information about the Windows event logs, see Event Viewer Overview. If you need more precise permissions on the audit, use the binary file target. When you are saving audit information to a file, to help prevent tampering, you can restrict access to the file location in the following ways: The SQL Server Service Account must have both Read and Write permission. Audit Administrators typically require Read and Write permission. This assumes that the Audit Administrators are Windows accounts for administration of audit files, such as: copying them to different shares, backing them up, and so on. Audit Readers that are authorized to read audit files must have Read permission. Even when theDatabase Engine is writing to a file, other Windows users can read the audit file if they have permission. The Database Engine does not take an exclusive lock that prevents read operations. Because the Database Engine can access the file, SQL Server logins that have CONTROL SERVER permission can use the Database Engine to access the audit files. To record any user that is reading the audit file, define an audit on master.sys.fn_get_audit_file. This records the logins with CONTROL SERVER permission that have accessed the audit file through SQL Server. If an Audit Administrator copies the file to a different location (for archive purposes, and so on), the ACLs on the new location should be reduced to the following permissions: Audit Administrator Read / Write Audit Reader Read We recommend that you generate audit reports from a separate instance of SQL Server, such as an instance of SQL Server Express, to which only Audit Administrators or Audit Readers have access. By using a separate instance of the Database Engine for reporting, you can help prevent unauthorized users from obtaining access to the audit record. You can offer additional protection against unauthorized access by encrypting the folder in which the audit file is stored by using Windows BitLocker Drive Encryption or Windows Encrypting File System. For more information about the audit records that are written to the target, see SQL Server Audit Records.
Considerations
In the case of a failure during audit initiation, the server will not start. In this case, the server can be started by using the f option at the command line. When an audit failure causes the server to shut down or not to start because ON_FAILURE=SHUTDOWN is specified for the audit, the MSG_AUDIT_FORCED_SHUTDOWN event will be written to the log. Because the shutdown will occur on the first encounter of this setting, the event will be written one time. This event is written after the failure message for the audit causing the shutdown. An administrator can bypass auditinduced shutdowns by starting SQL Server in Single User mode using the m flag. If you start in Single User mode, you will downgrade any audit where ON_FAILURE=SHUTDOWN is specified to run in that session as ON_FAILURE=CONTINUE. When SQL Server is started by using the m flag, the MSG_AUDIT_SHUTDOWN_ BYPASSED message will be written to the error log. For more information about service startup options, see Using the SQL Server Service Startup Options.
http://msdn.microsoft.com/en-us/library/cc280386.aspx
12.5.2010 15:01:05
SPECIFICATION command to connect the orphaned audit specification to an existing server audit. Or, use the Page CREATE SERVER AUDIT command to create a new server audit with the specified GUID. You can attach a database that has an audit specification defined on it to another edition of SQL Server that does not support SQL Server Audit, such as SQL Server Express but it will not record audit events.
See Also
Concepts Auditing (Database Engine) SQL Server Audit Action Groups and Actions SQL Server Audit Records SQL Server Audit How-to Topics Other Resources Audits Node (Object Explorer) Audits (General Page) Server Audit Specifications (General Page) Database Audit Specifications (General Page) Help and Information Getting SQL Server 2008 Assistance
Community Content
2010 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Feedback
http://msdn.microsoft.com/en-us/library/cc280386.aspx
12.5.2010 15:01:05